microsoft · Flickdm · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/EcTests.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/EcTests.c
@@ -203,6 +203,8 @@ TestVerifyEcBasic (
 {
   UINTN    CurveCount;
   BOOLEAN  Status;
+  VOID     *BnXOut; // MU_CHANGE
+  VOID     *BnYOut; // MU_CHANGE
 
   //
   // Initialize BigNumbers
@@ -244,6 +246,24 @@ TestVerifyEcBasic (
     Status = EcPointIsOnCurve (Group, Point1, NULL);
     UT_ASSERT_TRUE (Status);
 
+    // MU_CHANGE [BEGIN]
+    // Round-trip: get coordinates back and verify they match
+    BnXOut = BigNumInit ();
+    BnYOut = BigNumInit ();
+    if ((BnXOut == NULL) || (BnYOut == NULL)) {
+      return UNIT_TEST_ERROR_TEST_FAILED;
+    }
+
+    Status = EcPointGetAffineCoordinates (Group, Point1, BnXOut, BnYOut, NULL);
+    UT_ASSERT_TRUE (Status);
+    UT_ASSERT_TRUE (BigNumCmp (BnXOut, BnX) == 0);
+    UT_ASSERT_TRUE (BigNumCmp (BnYOut, BnY) == 0);
+    BigNumFree (BnXOut, TRUE);
+    BigNumFree (BnYOut, TRUE);
+    BnXOut = NULL;
+    BnYOut = NULL;
+    // MU_CHANGE [END]
+
     Status = EcPointIsAtInfinity (Group, Point1);
     UT_ASSERT_FALSE (Status);
 
@@ -371,10 +391,13 @@ TestVerifyEcKey (
   BOOLEAN  Status;
   VOID     *EcPrivKey;
   VOID     *EcPubKey;
+  VOID     *EcAltKey; // MU_CHANGE
   UINT8    HashValue[SHA256_DIGEST_SIZE];
   UINTN    HashSize;
   UINT8    Signature[66 * 2];
   UINTN    SigSize;
+  UINT8    AltPublic[64]; // MU_CHANGE
+  UINTN    AltPublicLen; // MU_CHANGE
 
   //
   // Retrieve EC private key from PEM data.
@@ -428,6 +451,53 @@ TestVerifyEcKey (
              );
   UT_ASSERT_TRUE (Status);
 
+  // MU_CHANGE [BEGIN]
+  //
+  // Tampered message test: flip a byte in the hash and verify that the signature
+  // is rejected, then restore the original hash value.
+  //
+  HashValue[0] ^= 0xFF;
+  Status        = EcDsaVerify (
+                    EcPubKey,
+                    CRYPTO_NID_SHA256,
+                    HashValue,
+                    HashSize,
+                    Signature,
+                    SigSize
+                    );
+  UT_ASSERT_FALSE (Status);
+  HashValue[0] ^= 0xFF;
+  // MU_CHANGE [END]
+
+  // MU_CHANGE [BEGIN]
+  //
+  // Cross-key rejection: generate a fresh key pair and confirm it cannot verify
+  // a signature produced by a different private key.
+  //
+  EcAltKey = EcNewByNid (CRYPTO_NID_SECP256R1);
+  if (EcAltKey == NULL) {
+    EcFree (EcPrivKey);
+    EcFree (EcPubKey);
+    UT_LOG_ERROR ("Failed to allocate EcAltKey");
+    return UNIT_TEST_ERROR_TEST_FAILED;
+  }
+
+  AltPublicLen = sizeof (AltPublic);
+  Status       = EcGenerateKey (EcAltKey, AltPublic, &AltPublicLen);
+  UT_ASSERT_TRUE (Status);
+
+  Status = EcDsaVerify (
+             EcAltKey,
+             CRYPTO_NID_SHA256,
+             HashValue,
+             HashSize,
+             Signature,
+             SigSize
+             );
+  UT_ASSERT_FALSE (Status);
+  EcFree (EcAltKey);
+  // MU_CHANGE [END]
+
   EcFree (EcPrivKey);
   EcFree (EcPubKey);
 

diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPkcs7Tests.c b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/RsaPkcs7Tests.c
@@ -663,6 +663,212 @@ TestVerifyPkcs7SignVerifyNonSelfIssued (
   return UNIT_TEST_PASSED;
 }
 
+// MU_CHANGE [BEGIN]
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyPkcs7GetSigners (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN  Status;
+  UINT8    *P7SignedData;
+  UINTN    P7SignedDataSize;
+  UINT8    *CertStack;
+  UINTN    StackLength;
+  UINT8    *TrustedCert;
+  UINTN    CertLength;
+
+  P7SignedData = NULL;
+  CertStack    = NULL;
+  TrustedCert  = NULL;
+
+  //
+  // Build a PKCS#7 signed blob to operate on.
+  //
+  Status = Pkcs7Sign (
+             TestKeyPem,
+             sizeof (TestKeyPem),
+             (CONST UINT8 *)PemPass,
+             (UINT8 *)Payload,
+             AsciiStrLen (Payload),
+             TestCert,
+             sizeof (TestCert),
+             NULL,
+             &P7SignedData,
+             &P7SignedDataSize
+             );
+  UT_ASSERT_TRUE (Status);
+  UT_ASSERT_NOT_NULL (P7SignedData);
+
+  //
+  // Extract signers — CertStack and TrustedCert must be freed with Pkcs7FreeSigners().
+  //
+  Status = Pkcs7GetSigners (
+             P7SignedData,
+             P7SignedDataSize,
+             &CertStack,
+             &StackLength,
+             &TrustedCert,
+             &CertLength
+             );
+  UT_ASSERT_TRUE (Status);
+  UT_ASSERT_NOT_NULL (CertStack);
+  UT_ASSERT_NOT_EQUAL (StackLength, 0);
+  UT_ASSERT_NOT_NULL (TrustedCert);
+  UT_ASSERT_NOT_EQUAL (CertLength, 0);
+
+  Pkcs7FreeSigners (CertStack);
+  Pkcs7FreeSigners (TrustedCert);
+  CertStack   = NULL;
+  TrustedCert = NULL;
+
+  //
+  // GetCertificatesList — outputs chained and unchained cert lists.
+  //
+  Status = Pkcs7GetCertificatesList (
+             P7SignedData,
+             P7SignedDataSize,
+             &CertStack,
+             &StackLength,
+             &TrustedCert,
+             &CertLength
+             );
+  UT_ASSERT_TRUE (Status);
+
+  if (CertStack != NULL) {
+    Pkcs7FreeSigners (CertStack);
+  }
+
+  if (TrustedCert != NULL) {
+    Pkcs7FreeSigners (TrustedCert);
+  }
+
+  FreePool (P7SignedData);
+
+  return UNIT_TEST_PASSED;
+}
+
+// MU_CHANGE [END]
+
+// MU_CHANGE [BEGIN]
+/**
+  Test Pkcs7Encrypt: encrypt a payload for a recipient identified by TestCert
+  (RSA public key cert).  Verifies the function produces non-empty output and
+  tests invalid-argument rejection.
+
+  Test Pkcs7GetAttachedContent: the blob produced by Pkcs7Sign uses
+  PKCS7_DETACHED so this call returns FALSE / empty — but the API must
+  not crash and must behave correctly.
+**/
+UNIT_TEST_STATUS
+EFIAPI
+TestVerifyPkcs7Encrypt (
+  IN UNIT_TEST_CONTEXT  Context
+  )
+{
+  BOOLEAN  Status;
+  UINT8    *X509Stack;
+  UINT8    *ContentInfo;
+  UINTN    ContentInfoSize;
+  UINT8    *P7SignedData;
+  UINTN    P7SignedDataSize;
+  VOID     *AttachedContent;
+  UINTN    AttachedContentSize;
+
+  X509Stack           = NULL;
+  ContentInfo         = NULL;
+  P7SignedData        = NULL;
+  AttachedContent     = NULL;
+  AttachedContentSize = 0;
+
+  //
+  // Build an X509 stack containing the test certificate as the recipient.
+  //
+  Status = X509ConstructCertificateStack (
+             &X509Stack,
+             TestCert,
+             sizeof (TestCert),
+             NULL
+             );
+  UT_ASSERT_TRUE (Status);
+  UT_ASSERT_NOT_NULL (X509Stack);
+
+  //
+  // Encrypt the payload for the recipient.
+  //
+  ContentInfoSize = 0;
+  Status          = Pkcs7Encrypt (
+                      X509Stack,
+                      (UINT8 *)Payload,
+                      AsciiStrLen (Payload),
+                      CRYPTO_NID_AES256CBC,
+                      CRYPTO_PKCS7_DEFAULT,
+                      &ContentInfo,
+                      &ContentInfoSize
+                      );
+  UT_ASSERT_TRUE (Status);
+  UT_ASSERT_NOT_NULL (ContentInfo);
+  UT_ASSERT_NOT_EQUAL (ContentInfoSize, 0);
+
+  FreePool (ContentInfo);
+  ContentInfo = NULL;
+
+  //
+  // Invalid-argument rejection: NULL X509Stack must return FALSE.
+  //
+  ContentInfoSize = 0;
+  Status          = Pkcs7Encrypt (
+                      NULL,
+                      (UINT8 *)Payload,
+                      AsciiStrLen (Payload),
+                      CRYPTO_NID_AES256CBC,
+                      CRYPTO_PKCS7_DEFAULT,
+                      &ContentInfo,
+                      &ContentInfoSize
+                      );
+  UT_ASSERT_FALSE (Status);
+
+  X509StackFree (X509Stack);
+
+  //
+  // Pkcs7GetAttachedContent: Pkcs7Sign produces detached content, so the
+  // result is FALSE with Content=NULL / ContentSize=0.
+  //
+  Status = Pkcs7Sign (
+             TestKeyPem,
+             sizeof (TestKeyPem),
+             (CONST UINT8 *)PemPass,
+             (UINT8 *)Payload,
+             AsciiStrLen (Payload),
+             TestCert,
+             sizeof (TestCert),
+             NULL,
+             &P7SignedData,
+             &P7SignedDataSize
+             );
+  UT_ASSERT_TRUE (Status);
+  UT_ASSERT_NOT_NULL (P7SignedData);
+
+  Status = Pkcs7GetAttachedContent (
+             P7SignedData,
+             P7SignedDataSize,
+             &AttachedContent,
+             &AttachedContentSize
+             );
+  //
+  // Detached signature: no content embedded — TRUE but Content=NULL / ContentSize=0.
+  //
+  UT_ASSERT_TRUE (Status);
+  UT_ASSERT_EQUAL (AttachedContentSize, 0);
+  UT_ASSERT_TRUE (AttachedContent == NULL);
+
+  FreePool (P7SignedData);
+
+  return UNIT_TEST_PASSED;
+}
+
+// MU_CHANGE [END]
+
 TEST_DESC  mRsaCertTest[] = {
   //
   // -----Description--------------------------------------Class----------------------Function-----------------Pre---Post--Context
@@ -678,6 +884,8 @@ TEST_DESC  mPkcs7Test[] = {
   //
   { "TestVerifyPkcs7SignVerify()",              "CryptoPkg.BaseCryptLib.Pkcs7", TestVerifyPkcs7SignVerify,              NULL, NULL, NULL },
   { "TestVerifyPkcs7SignVerifyNonSelfIssued()", "CryptoPkg.BaseCryptLib.Pkcs7", TestVerifyPkcs7SignVerifyNonSelfIssued, NULL, NULL, NULL },
+  { "TestVerifyPkcs7GetSigners()",              "CryptoPkg.BaseCryptLib.Pkcs7", TestVerifyPkcs7GetSigners,              NULL, NULL, NULL }, // MU_CHANGE
+  { "TestVerifyPkcs7Encrypt()",                 "CryptoPkg.BaseCryptLib.Pkcs7", TestVerifyPkcs7Encrypt,                 NULL, NULL, NULL }, // MU_CHANGE
 };
 
 UINTN  mPkcs7TestNum = ARRAY_SIZE (mPkcs7Test);